However, victim devices are primarily located in Iran (20%), Brazil (9%), Vietnam (8%) and Russia (8%).

As reported previously, Hajime spreads like Mirai via unsecured devices that have open Telnet ports and use default passwords, and uses the same log-in combinations as Mirai plus two more.

However, it’s more resilient – based on a P2P architecture – and is modular, meaning new capabilities could be added over time. It also has no DDoS functionality at the moment, and is only focused on propagation.

Kaspersky Lab analysis found that Hajime’s attack module supports three different attack methods; the newest being TR-064 exploitation.

However, the researchers are still bemused as to the end goal of the campaign.

Some have speculated that it could be a white hat trying to lock down endpoints before the likes of Mirai get hold of them.

That’s because it blocks access to several ports which host services that can be exploited by malware including Mirai.

Plus, infected devices display a cryptographically signed message from the author: “Just a white hat, securing some systems.”

“The most intriguing thing about Hajime is its purpose. While the botnet is getting bigger and bigger, its objective remains unknown. We have not seen its traces in any type of attack or additional malicious activity,” said Konstantin Zykov, senior security researcher, Kaspersky Lab.

“Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force, and to update their firmware if possible.”